Apache flaw patched
Results 1 to 2 of 2

Thread: Apache flaw patched

  1. #1
    PHP/PostgreSQL guy
    Join Date
    Dec 2001
    Posts
    1,164

    Apache flaw patched

    Just for recount for those that may not have noticed, a flaw in the Apache web server has been patched.

    The article is here...

    As quoted:

    The buffer overflow flaw affects Apache httpd versions 1.3.26, 1.3.27, 1.3.28, 1.3.29 and 1.3.31, which were configured to act as proxy servers. Apache httpd 2.0 and other versions of Apache httpd 1.3 are unaffected.

    An Apache Week advisory said the buffer overflow can be triggered by getting the mod_proxy feature to connect to a remote server and return an invalid content-length.
    And...

    The risk of code execution is high on older OpenBSD/FreeBSD distributions because of the internal implementation of memcpy, which re-reads the length value from the stack. On newer BSD distributions, it may be exploitable because the implementation of memcpy will write three arbitrary bytes to an attacker-controlled location, according to the alert.
    My own opinions still remain the same...it's great to see these flaws fixed in a very timely manner because apache, being the #1 web server used worldwide, one would've thought they'd have a lot more vulnerabilities.

    On a separate debate, for those that say that because windows is the most used desktop OS, it's going to be hammered with problems, as time has already shown. My question is, with Apache being the most used web server WORLDWIDE, why do they not have anywhere near the exploits, problems, etc that IE/Windows have?

    From Netcraft's latest survey (here):

    Apache has 35,122,146 servers out there as of July 2004 (67.37%) while IIS has 11,115,660 servers as of July 2004 (21.32%).

    Those numbers are simply staggering and it just tells me what a better product can do. This is not meant to be a flame on IIS, but more or less showing those that think that a product being #1 would be the most exploited simply isn't true.
    We the willing, led by the unknowing, have been doing the impossible for the ungrateful. We have done so much with so little for so long that we are now qualified to do just about anything with almost nothing.

  2. #2
    Senior Member
    Join Date
    Jan 2002
    Posts
    1,207
    My own opinions still remain the same...it's great to see these flaws fixed in a very timely manner because apache, being the #1 web server used worldwide, one would've thought they'd have a lot more vulnerabilities.
    You obviously didn't actually read the text then, this vulnerability only affects Apache installations being used as a proxy server. This is something which it is very rarely used for.

    Slarty

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •